LTE Security – How Good Is It? Michael Bartock Jeffrey Cichonski Joshua Franklin IT Specialist (Security) IT Specialist (Security) IT Specialist (Security) National Institute of National Institute of Standards National Institute of Standards Standards & Technology & Technology & Technology Disclaimer Certain commercial entities, equipment, or materials may be identified in this presentation in order to describe an experimental procedure or concept adequately. Such identification is not intended to imply recommendation or endorsement by NIST, nor is it intended to imply that the entities, materials, or equipment are necessarily the best available for the purpose. 2 Agenda Discussion of LTE standards​ Description of LTE technology ​ Exploration of LTE's protection mechanisms In-depth discussion of applied backhaul security research ​ Enumeration of threats to LTE​ How good is LTE security?​ 3 Context of Research The Public Safety Communications Research (PSCR)​ program is joint effort between NTIA & NIST​ Located in Boulder, CO​ PSCR investigates methods to make public safety communications systems interoperable, secure, and to ensure it meets the needs of US public safety personnel​ Researching the applicability of LTE in public safety communications 4 What is LTE LTE – Long Term Evolution Evolutionary step from GSM to UMTS 4th generation cellular technology standard from the 3rd Generation Partnership Project (3GPP) Deployed worldwide and installations are rapidly increasing LTE is completely packet-switched Technology to provide increased data rates 5 Cybersecurity Research Objectives Led by the Information Technology Laboratory’s Computer Security Division with support from Software and System Division and Information Access Division Kicked off at the PSCR stakeholder meeting in June 2013 Takes a holistic approach to cybersecurity for public safety communications Leverages existing mobile cybersecurity efforts within the government and industry Conduct research to fill gaps in cybersecurity Cybersecurity Research Objectives LTE architecture, standards, and security (NISTIR) Identity management for public safety (NISTIR 8014) Mobile application security for public safety Enabling cybersecurity features in the PSCR demonstration network Mapping public safety communication network requirements to standard cybersecurity controls and frameworks (NISTIR) Usable cybersecurity for public safety 3GPP Standards & Evolution 2G 2.5G 3G 3.5G 4G GSM EDGE UMTS HSPA LTE Note: Simplified for brevity 8 LTE Technology Overview The Basics A device (UE) connects to a network of base stations (E-UTRAN) The E-UTRAN connects to a core network (Core) The Core connects to the internet (IP network). 10 Mobile Device User equipment (UE): Cellular device containing the following Mobile equipment (ME): The physical cellular device UICC: Known as SIM card Responsible for running the SIM and USIM Applications Can store personal info (e.g., contacts) & even play video games! IMEI: Equipment Identifier IMSI: Subscriber Identifier 11 The Evolved Universal Terrestrial Radio Access Network (E-UTRAN) eNodeB: Radio component of LTE network De-modulates RF signals & transmits IP packets to core network Modulates IP packets & transmits RF signals to UE E-UTRAN: mesh network of eNodeBs X2 Interface: connection between eNodeBs 12 Evolved Packet Core (EPC) Mobility Management Entity (MME) Primary signaling node - does not interact with user traffic Functions include managing & storing UE contexts, creating temporary IDs, sending pages, controlling authentication functions, & selecting the S-GW and P-GWs Serving Gateway (S-GW) Router of information between the P-GW and the E-UTRAN Carries user plane data, anchors UEs for intra-eNodeB handoffs Packet Data Gateway (P-GW) Allocates IP addresses and routes packets Interconnects with non 3GPP networks Home Subscriber Server (HSS) Houses subscriber identifiers and critical security information Note: Simplified for brevity 13 LTE Network 14 Communications Planes LTE uses multiple planes of communication Different logical planes are multiplexed into same RF signal Routed to different end points 15 LTE Protocols TCP/IP sits on top of the cellular protocol stack: Radio Resource Control (RRC): Transfers NAS messages, AS information may be included, signaling, and ECM Packet Data Convergence Protocol (PDCP): header compression, radio encryption Radio Link Control (RLC): Readies packets to be transferred over the air interface Medium Access Control (MAC): Multiplexing, QoS 16 Subscriber Identity (IMSI) MCC MNC MSIN 310 00000**** International Mobile Subscriber 014 Identity (IMSI) LTE uses a unique ID for every subscriber 15 digit number stored on the UICC Consists of 3 values: MCC, MNC, and MSIN Distinct from the subscriber’s phone number 17 LTE Security Architecture LTE Security Architecture We will explore several LTE defenses: SIM cards and UICC tokens Device and network authentication Air interface protection (Uu) Backhaul and network protection (S1-MME, S1-U) LTE's security architecture is defined by 3GPP's TS 33.401 There are many, many, many references to other standards within 19 UICC Token Hardware storage location for sensitive information Stores pre-shared key K Stores IMSI Limited access to the UICC via a restricted API Performs cryptographic operations for authentication TS 33.401 - 6.1.1: Access to E-UTRAN with a 2G SIM or a SIM application on a UICC shall not be granted. 20 Device & Network Authentication Authentication and Key Agreement (AKA) is the protocol used for devices to authenticate with the carrier to gain network access The cryptographic keys needed to encrypt calls are generated upon completion of the AKA protocol 3GPP 33.401 - 6.1.1: EPS AKA is the authentication and key agreement procedure that shall be used over E-UTRAN. 21 AKA Packet Capture Sending Temporary Identity Authentication Vectors Authentication Response 22 Cryptographic Key Usage K: 128-bit master key. Put into USIM and HSS by carrier CK & IK: 128-bit Cipher key and Integrity key KASME : 256-bit local master, derived from CK & IK KeNB: 256-bit key used to derive additional keys NASenc & NASint: 256/128-bit key protecting NAS RRCenc & RRCint: 256/128-bit key protecting RRC UPenc: 256/128-bit key protecting UP traffic 23 Air Interface Protection The connection between the UE and the eNodeB is referred to as the air interface 3 algorithms exist to protect the LTE air interface: SNOW 3G = stream cipher designed by Lund University (Sweden) AES = Block cipher standardized by NIST (USA) ZUC = stream cipher designed by the Chinese Academy of Sciences (China) Each algorithm can be used for confidentiality protection, integrity protection, or to protect both. 3GPP 33.401- 5.1.3.1: User plane confidentiality protection shall be done at PDCP layer and is an operator option. 24 Backhaul Protection Confidentiality protection of traffic running over S1 Interface (Backhaul) Hardware security appliances are used to implement this standard Security Gateways (SEG) IPSEC tunnel created between eNodeB and SEG 3GPP TS 33.401 - 13: NOTE: In case the S1 management plane interfaces are trusted (e.g. physically protected), the use of protection based on IPsec/IKEv2 or equivalent mechanisms is not needed. 25 PSCR Applied Research PSCR Applied Research Our Focus is on communication from the cell site to core network. Our Focus is on communication from the cell site to core network. Initial Research Goal Enable data encryption on the backhaul connection. Verify data is encrypted. Analyze impact on networks performance. Encourage the default use of backhaul encryption. Why Encrypt the Backhaul User data travels over the backhaul. The backhaul may or may not be trusted. Example: Operator A uses Operators B’s fiber trunk to connect remote cell sites to its core network. An adversary could be listening in on this connection. Implementation Use Internet Protocol Security (IPSEC) to encrypt this communication. Provides encryption at the Internet layer of the IP protocol stack Commercial base stations support IPSEC Use public key infrastructure (PKI) certificates to provide strong authentication. Base station and core network authenticate each other. Current State of Research Collaborating with CRADA partners to identify commercial grade solutions Implemented backhaul protection on part of PSCR Demonstration Network Testing impacts on network performance Working to verify interoperability & scalability Non Encrypted Traffic Encrypted Traffic Initial Performance Results UDP Downlink 45 40 35 30 25 20 15 39.47 39.39 Second 10 5 Mega Bits per Mega 0 UDP Downlink IPSEC UDP Downlink IPSEC Off On Initial Performance Results UDP Uplink 14 12 10 8 6 12.12 Second 11.06 4 2 Mega Bits per Mega 0 UDP Uplink IPSEC Off UDP Uplink IPSEC On Next Steps Identify additional more tests to better simulate real world deployments. Simulate multiple base stations connecting to one security gateway Interoperability tests Identify other vulnerable network interfaces to secure. Uu Threats to LTE Networks General Computer Security Threats Threat: LTE infrastructure runs off of commodity hardware & software. With great commodity, comes great responsibility. Susceptible to software and hardware flaws pervasive in any general purpose operating system or application Mitigation: Security engineering and a secure system development lifecycle. 39 Renegotiation Attacks Threat: Rogue